Fix handling of multiple OPENPGPKEY records in the DNSSEC module

[msehnout]

Work in progress. I mainly want to trigger CI.

[xsuchy]

LGTM

Here is a background http://miroslav.suchy.cz/blog/archives/2021/02/18/different_opengpg_dns_entries_for_the_same_email/index.html

[lukash]

Just testing the CI... bors try

[bors[bot]]

try

Build succeeded:

• DNF CI

[msehnout]

I'd like to use a packit build to verify that this modification works but it seems to fail consistently in all PRs. Are there any plans to fix it, @lukash ?

[xsuchy]

There is an issue. The code stores to DNSSECKeyVerification._cache only one key, not the whole set.

You can try it with [email protected] who already has keys in DNS and has 3 keys there. The first cache_miss results in VALID, but the next loop for [email protected] goes into cache_hit but the key in the cache does not match input_key.key

[msehnout]

There is an issue. The code stores to DNSSECKeyVerification._cache only one key, not the whole set.

You can try it with [email protected] who already has keys in DNS and has 3 keys there. The first cache_miss results in VALID, but the next loop for [email protected] goes into cache_hit but the key in the cache does not match input_key.key

Good catch!

[msehnout]

I tried to patch the code to include the whole set in the cache, but I haven't had time to run it yet.

[j-mracek]

I am really sorry but the PR is open to long as Draft, therefore I am closing it.

Note: The future of software-management is in DNF5. DNF5 is written in C++ therefore the support of DNSSEC will require completely different implementation.